Skip to content

Active Directory Users

Overview

In this page find an explanation on integrating your Active Directory Users data source to Hunters. This table holds information about domain users and their properties, including person-related information. For more information on the data schema see here or here.

This data source is used in the Hunters Pipeline mainly to correlate various entities (username, email, AWS User ARN, etc.) to a related person entity, which gives context for security-related events and allows correlating signals from different attack surfaces.

Getting the data

In order to retrieve the data in the expected format, execute the following PowerShell on the relevant Domain Controllers:

import-module activedirectory
get-aduser -filter * -Properties * | export-csv <FILE_PATH>
Several files from different Active Directories can be passed as well, in which case the command above needs to be run against every Active Directory.

Also note that for a better integration, it is recommended to create a periodic cron (e.g. once a day) that executes the command above and ships the resulted files to Hunters.

Expected Format in Hunters' Side

For the Hunters' Ingestion mechanism to accept the outputted file, the following requirements need to be satisfied:

  1. The outputted file format should be passed as it, without modifications, to a Storage Service (e.g. to an S3 bucket or Azure Blob Storage) shared with Hunters.
  2. The file should be passed to a dedicated prefix inside the shared bucket (e.g. s3://<BUCKET_NAME>>/active_directory_users/).
  3. The outputted time fields within the file (CREATED, MODIFIED, etc.) should all be in the following format: %Y-%m-%dT%H:%M:%S. This can be achieved by using the ToString function with this format (e.g. @{Name='Created';Expression={$_.Created.ToString("yyyy-MM-ddTHH:mm:ss")}}).
  4. The file name should start with the execution time (snapshot time), in the following format: %Y%m%dT%H%M%S (e.g. 20210502T120000_ad_users.csv)